Edit tour
Windows
Analysis Report
zs5n5sI6N2
Overview
General Information
| Sample Name: | zs5n5sI6N2 (renamed file extension from none to dll) |
| Analysis ID: | 633919 |
| MD5: | 9ce6868cb546819a7ba2fc27f91a3777 |
| SHA1: | 6052120b0375f44ede4985ad98f7bd89beb70c2b |
| SHA256: | fc4bee1a68545b7067fad93ba74478641acd683117f9fe478a4941d7146db959 |
| Tags: | dllGoziITAursnif |
| Infos: |  |
 | |
Detection
Ursnif
| Score: | 100 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Found malware configuration
Multi AV Scanner detection for submitted file
Yara detected Ursnif
System process connects to network (likely due to code injection or exploit)
Antivirus detection for URL or domain
Snort IDS alert for network traffic
Maps a DLL or memory area into another process
Writes to foreign memory regions
Changes memory attributes in foreign processes to executable or writable
Machine Learning detection for sample
Allocates memory in foreign processes
Uses ping.exe to check the status of other devices and networks
Self deletion via cmd delete
Uses ping.exe to sleep
Injects code into the Windows Explorer (explorer.exe)
Modifies the context of a thread in another process (thread injection)
Creates a thread in another existing process (thread injection)
Disables SPDY (HTTP compression, likely to perform web injects)
Writes registry values via WMI
Uses 32bit PE files
Queries the volume information (name, serial number etc) of a device
One or more processes crash
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
PE file contains sections with non-standard names
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Contains functionality to launch a process as a different user
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Found dropped PE file which has not been started or loaded
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
PE file contains an invalid checksum
Searches for the Microsoft Outlook file path
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Checks if the current process is being debugged
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Compiles C# or VB.Net code
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Classification
- System is w10x64
loaddll32.exe (PID: 3456 cmdline: loaddll32. exe "C:\Us ers\user\D esktop\zs5 n5sI6N2.dl l" MD5: 7DEB5DB86C0AC789123DEC286286B938) 
cmd.exe (PID: 6012 cmdline: cmd.exe /C rundll32. exe "C:\Us ers\user\D esktop\zs5 n5sI6N2.dl l",#1 MD5: F3BDBE3BB6F734E357235F4D5898582D) 
rundll32.exe (PID: 4452 cmdline: rundll32.e xe "C:\Use rs\user\De sktop\zs5n 5sI6N2.dll ",#1 MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) 
control.exe (PID: 6364 cmdline: C:\Windows \system32\ control.ex e -h MD5: 625DAC87CB5D7D44C5CA1DA57898065F) - explorer.exe (PID: 3616 cmdline:
C:\Windows \Explorer. EXE MD5: AD5296B280E8F522A8A897C96BAB0E1D) - cmd.exe (PID: 260 cmdline:
C:\Windows \System32\ cmd.exe" / C ping loc alhost -n 5 && del " C:\Users\u ser\Deskto p\zs5n5sI6 N2.dll MD5: 4E2ACF4F8A396486AB4268C94A6A245F) - conhost.exe (PID: 5896 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - PING.EXE (PID: 5988 cmdline:
ping local host -n 5 MD5: 6A7389ECE70FB97BFE9A570DB4ACCC3B) - RuntimeBroker.exe (PID: 4440 cmdline:
C:\Windows \System32\ RuntimeBro ker.exe -E mbedding MD5: C7E36B4A5D9E6AC600DD7A0E0D52DAC5) - cmd.exe (PID: 2960 cmdline:
cmd /C "ns lookup myi p.opendns. com resolv er1.opendn s.com > C: \Users\use r\AppData\ Local\Temp \1759.bi1" MD5: 4E2ACF4F8A396486AB4268C94A6A245F) 
WerFault.exe (PID: 3176 cmdline: C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 456 -s 272 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 1800 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 456 -s 408 MD5: 9E2B8ACAD48ECCA55C0230D63623661B) - WerFault.exe (PID: 5172 cmdline:
C:\Windows \SysWOW64\ WerFault.e xe -u -p 3 456 -s 436 MD5: 9E2B8ACAD48ECCA55C0230D63623661B)
mshta.exe (PID: 6732 cmdline: C:\Windows \System32\ mshta.exe" "about:<h ta:applica tion><scri pt>Cwbm='w script.she ll';resize To(0,2);ev al(new Act iveXObject (Cwbm).reg read('HKCU \\\Softwar e\\AppData Low\\Softw are\\Micro soft\\54E8 0703-A337- A6B8-CDC8- 873A517CAB 0E\\\TestL ocal'));if (!window.f lag)close( )</script> MD5: 197FC97C6A843BEBB445C1D9C58DCBDB) 
powershell.exe (PID: 6824 cmdline: "C:\Window s\System32 \WindowsPo werShell\v 1.0\powers hell.exe" new-alias -name asyt srjo -valu e gp; new- alias -nam e famnsyvw eq -value iex; famns yvweq ([Sy stem.Text. Encoding]: :ASCII.Get String((as ytsrjo "HK CU:Softwar e\AppDataL ow\Softwar e\Microsof t\54E80703 -A337-A6B8 -CDC8-873A 517CAB0E") .UrlsRetur n)) MD5: 95000560239032BC68B4C2FDFCDEF913) - conhost.exe (PID: 6848 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) - csc.exe (PID: 7156 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\rn2v1u0 v\rn2v1u0v .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 5080 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESBB61.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\rn2 v1u0v\CSCE 8729092494 447E68BAFD 2B3DE7C4FE .TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D) - csc.exe (PID: 5092 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cs c.exe" /no config /fu llpaths @" C:\Users\u ser\AppDat a\Local\Te mp\0rxpcrx p\0rxpcrxp .cmdline MD5: B46100977911A0C9FB1C3E5F16A5017D) - cvtres.exe (PID: 6392 cmdline:
C:\Windows \Microsoft .NET\Frame work64\v4. 0.30319\cv tres.exe / NOLOGO /RE ADONLY /MA CHINE:IX86 "/OUT:C:\ Users\user \AppData\L ocal\Temp\ RESDBAB.tm p" "c:\Use rs\user\Ap pData\Loca l\Temp\0rx pcrxp\CSC8 1748258BEC 6426288BE9 680C960B04 E.TMP" MD5: 33BB8BE0B4F547324D93D5D2725CAC3D)
- cleanup
{"RSA Public Key": "2FCnIUzdNGgeELQ1eLj0bJoMz6Wyhsxr173krpubnAkBznOw2O4zXiS7ovCR4PNNsCIjegHbTvoHWqhvq9RRNZAEBtDWX6mW3yIDXSN0qA1n8qiSRebn1HxZtuyL6FY/BR1nMcmDUet9iMwvlRDxmj+VzyCObUK6W0DHCUtNCB3pyymvgBuZvmOoqHVPJIhNG61j6VPVajqzr24KUke3teaWIZiCXT2orfIpBZFefRCfYuOYhoPg/LDJjkEBPCd72OAc2ekKwF9Tcjmm1Qm9F8aB637Mj7oTJWG5gIc8figdfCIcJsfVqtjVSAcA29hI94eg/OsMoQ7GmaQR3NS4pkbIWbvv0j+obPcxvU7II18=", "c2_domain": ["config.edge.skype.com", "cabrioxmdes.at", "gamexperts.net", "37.10.71.138", "185.158.250.51"], "ip_check_url": ["http://ipinfo.io/ip", "http://curlmyip.net"], "serpent_key": "Jv1GYc8A8hCBIeVD", "tor32_dll": "file://c:\\test\\test32.dll", "tor64_dll": "file://c:\\test\\tor64.dll", "server": "50", "sleep_time": "1", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "60", "time_value": "60", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "60", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "60", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "3000", "SetWaitableTimer_value": "1"}| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security | ||
| JoeSecurity_Ursnif_1 | Yara detected Ursnif | Joe Security |